Cisco VPNClient does not work with SELinux enabled in FC4

Daniel J Walsh dwalsh at redhat.com
Sun May 28 11:04:56 UTC 2006


yukku yukkoooooo wrote:
> Hi,
>     I am running on FC4 and I installed Cisco VPN client software, 
> however when I run vpnclient I am getting the error message :
> "vpnclient: error while loading shared libraries: /opt/cisco-vpnclient/lib/libvpnapi.so: cannot restore segment prot after reloc: Permission denied"
This is strange.

Have you tried

chcon -t textrel_shlib_t /opt/cisco-vpnclient/lib/libvpnapi.so
> Friendly neighbourhood Paul Howarth correctly guessed it to be related 
> to SELinux.
> I am able to run the vpnclient by disabling the SELinux using
> setenforce 0
> The chcon command did not work (apparently it is not supposed to work 
> in FC4)
> I get a error message "type=AVC msg=audit(1147460693.437:11955217): 
> avc: denied { execmod } "
> if I disable selinux and run the vpnclient command.
> > Paul Howarth wrote :
> > > The memory checks are present in FC4 but disabled by default. It 
> > > appears
> > > that they have somehow been enabled on your system.
>  This should fix 
> it:
> > > # setsebool -P allow_execmod 1
> > 
> > I gave this command and it still does not work with
> > SELinux. So digged a littlebit and gave the command
> > # getsebool -a | less
> > and I got a long output of which I took the ones that might
> > make sense to you -
> > allow_execmem --> active
> > allow_execmod --> active
> > allow_execstack --> active
> > allow_kerberos --> active
> > allow_write_xshm --> active
> > allow_ypbind --> active
> >> There's something very weird going on there. allow_execmod should do
> >> what it says. I'd try asking about this on fedora-selinux-list,
>
> setsebool with execmod is not working either.
> I have attached the relevant files as well. Any ideas ?
> This should give you an idea of the SELinux version
> > selinux-doc-1.19.5-1.noarch.rpm
> >
>  selinux-policy-strict-1.23.16-6.noarch.rpm
> > selinux-policy-targeted-1.23.16-6.noarch.rpm
>
> Thanks
> Newbie Yukku
>
>   
>
> ------------------------------------------------------------------------
> New Yahoo! Messenger with Voice. Call regular phones from your PC 
> <http://us.rd.yahoo.com/mail_us/taglines/postman5/*http://us.rd.yahoo.com/evt=39666/*http://messenger.yahoo.com> 
> and save big.
> ------------------------------------------------------------------------
>
> type=SYSCALL msg=audit(1147715609.949:3621791): arch=40000003 syscall=4 success=yes exit=1 a0=3 a1=bfc7b7b8 a2=1 a3=bfc7b7b8 items=0 pid=4330 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="setenforce" exe="/usr/sbin/setenforce"
> type=AVC msg=audit(1147715609.949:3621791): avc:  granted  { setenforce } for  pid=4330 comm="setenforce" scontext=root:system_r:unconfined_t tcontext=system_u:object_r:security_t tclass=security
> type=AVC_PATH msg=audit(1147715612.195:3634219):  path="/opt/cisco-vpnclient/lib/libvpnapi.so"
> type=SYSCALL msg=audit(1147715612.195:3634219): arch=40000003 syscall=125 per=400000 success=yes exit=0 a0=9be000 a1=41000 a2=5 a3=bfd74540 items=0 pid=4332 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="vpnclient" exe="/opt/cisco-vpnclient/bin/vpnclient"
> type=AVC msg=audit(1147715612.195:3634219): avc:  denied  { execmod } for  pid=4332 comm="vpnclient" name=libvpnapi.so dev=hda3 ino=32474 scontext=user_u:system_r:unconfined_t tcontext=root:object_r:usr_t tclass=file
>   
> ------------------------------------------------------------------------
>
> SELinux status:                 enabled
> SELinuxfs mount:                /selinux
> Current mode:                   enforcing
> Mode from config file:          enforcing
> Policy version:                 19
> Policy from config file:        targeted
>
> Policy booleans:
> NetworkManager_disable_trans    inactive
> allow_execmem                   active
> allow_execmod                   active
> allow_execstack                 active
> allow_kerberos                  active
> allow_write_xshm                inactive
> allow_ypbind                    inactive
> apmd_disable_trans              inactive
> arpwatch_disable_trans          inactive
> auditd_disable_trans            inactive
> bluetooth_disable_trans         inactive
> canna_disable_trans             inactive
> cardmgr_disable_trans           inactive
> comsat_disable_trans            inactive
> cupsd_config_disable_trans      inactive
> cupsd_disable_trans             inactive
> cvs_disable_trans               inactive
> cyrus_disable_trans             inactive
> dbskkd_disable_trans            inactive
> dhcpc_disable_trans             inactive
> dhcpd_disable_trans             inactive
> dovecot_disable_trans           inactive
> fingerd_disable_trans           inactive
> ftp_home_dir                    active
> ftpd_disable_trans              inactive
> ftpd_is_daemon                  active
> hald_disable_trans              inactive
> hotplug_disable_trans           inactive
> howl_disable_trans              inactive
> httpd_builtin_scripting         active
> httpd_can_network_connect       inactive
> httpd_disable_trans             inactive
> httpd_enable_cgi                active
> httpd_enable_homedirs           active
> httpd_ssi_exec                  active
> httpd_suexec_disable_trans      inactive
> httpd_tty_comm                  inactive
> httpd_unified                   active
> i18n_input_disable_trans        inactive
> inetd_child_disable_trans       inactive
> inetd_disable_trans             inactive
> innd_disable_trans              inactive
> kadmind_disable_trans           inactive
> klogd_disable_trans             inactive
> krb5kdc_disable_trans           inactive
> ktalkd_disable_trans            inactive
> lpd_disable_trans               inactive
> mysqld_disable_trans            inactive
> named_disable_trans             inactive
> named_write_master_zones        inactive
> nfs_export_all_ro               active
> nfs_export_all_rw               active
> nmbd_disable_trans              inactive
> nscd_disable_trans              inactive
> ntpd_disable_trans              inactive
> portmap_disable_trans           inactive
> postgresql_disable_trans        inactive
> pppd_disable_trans              inactive
> pppd_for_user                   inactive
> privoxy_disable_trans           inactive
> ptal_disable_trans              inactive
> radiusd_disable_trans           inactive
> radvd_disable_trans             inactive
> read_default_t                  active
> rlogind_disable_trans           inactive
> rsync_disable_trans             inactive
> samba_enable_home_dirs          inactive
> saslauthd_disable_trans         inactive
> slapd_disable_trans             inactive
> smbd_disable_trans              inactive
> snmpd_disable_trans             inactive
> squid_connect_any               inactive
> squid_disable_trans             inactive
> stunnel_disable_trans           inactive
> stunnel_is_daemon               inactive
> syslogd_disable_trans           inactive
> system_dbusd_disable_trans      inactive
> telnetd_disable_trans           inactive
> tftpd_disable_trans             inactive
> udev_disable_trans              inactive
> use_nfs_home_dirs               inactive
> use_samba_home_dirs             inactive
> uucpd_disable_trans             inactive
> winbind_disable_trans           inactive
> ypbind_disable_trans            inactive
> ypserv_disable_trans            inactive
> zebra_disable_trans             inactive
>   
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list




More information about the fedora-selinux-list mailing list